|
Rob,
I agree with Calvin. Consider using a one-way hash instead of an encrypted word. Each time you receive a password, salt it, then hash it. If creating the user, store the hashed value. If checking a password, compare the hashed value to the stored one.
-SK
On 3/17/2021 1:46 PM, Calvin Buckley wrote:
This sample is really concerning without any attention to salting... or
cryptography. Not only is 3DES very busted, it's also not the
appropriate algorithm assuming it's secure. You'd want one-way hashing
(the archetypical example is MD5, but it too is old and busted), plus
salting so someone can't just precompute a bunch of hashes.
Ideally, you'd want password hashing algorithms designed special-
purpose, like bcrypt (disclaimer: I have an ILE port of bcrypt, all
open source). Those are specifically optimized for password hashing by
being expensive to hash, whereas MD5/SHA are designed to be cheap
(because they're designed for general integrity).
As an Amazon Associate we earn from qualifying purchases.
This mailing list archive is Copyright 1997-2025 by midrange.com and David Gibbs as a compilation work. Use of the archive is restricted to research of a business or technical nature. Any other uses are prohibited. Full details are available on our policy page. If you have questions about this, please contact [javascript protected email address].
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.
midrange.com
